Spam is putting a huge dent in the value of e-mail. The widespread and implicit trust in the use of e-mail as a business and personal communications medium is being steadily undermined by burgeoning unwanted commercial messages (spam) - a situation that seriously needs to be addressed by businesses providing e-mail-based services.
"We have had to find ways of restoring the high levels of trust in this most pervasive of technologies and to reinstate it as the wonderful tool that it is," says Mike Wright, CEO of international electronic messaging specialist Striata.
"Fortunately there are many bright, committed people and organisations worldwide who are working on solutions that will ensure spam levels are significantly reduced. It is a huge task, particularly when it is realised that in the US alone, 55% of the total population use e-mail on a daily basis.
"E-mail reaches an audience of huge critical mass in developed countries and is rapidly growing in developing countries. It is personal, pervasive, powerful and persuasive and thus for businesses became the delivery vehicle of choice for marketing and operational communications, word-of-mouth marketing and added-value interaction and communication with customers in the form of e-billing and other services."
Wright adds that there are a number of methods, processes and technologies by which organisations like Striata can ensure that spam is minimised. One of the most valuable yet under-utilised is sender authentication, in which all outgoing e-mails are digitally signed. It confirms to the receiving party that the sender is in fact who he purports to be.
"MultiChoice SA is a good example of this. All of its month-end outgoing invoices and statements are digitally signed which ensures the customer receives the documentation and that they can be guaranteed that they came from MultiChoice. However, because digital signatures require active participation by the recipient, alternative solutions had to be developed to ensure a more 'under-the-hood' approach."
One such system, called SPF (sender policy framework), requires domain owners to publish their mail server settings as an SPF record in their DNS (domain name servers). This allows e-mail recipient e-mail servers to check whether the e-mail is coming from a server authorised to send e-mail for that specific domain.
Wright says DomainKeys is another e-mail authentication system designed to verify the identity of an e-mail sender as well as message integrity. "An enhanced protocol called DomainKeys Identified Mail (DKIM) has since been created and has formed the basis for an IETF (Internet Engineering Task Force) working group which could see it becoming an IETF standard."
DomainKeys offers almost total end-to-end integrity from verifying a mail transfer agent (MTA) independently of SMTP (simple mail transfer protocol) routing, with the signing MTA in most cases acting on behalf of the sender and the verifying MTA on behalf of the recipient.
"This does not prevent abusive behaviour but it does allow e-mail abuse to be more easily detected and to be tracked. Yahoo signs all its outgoing e-mail with DomainKeys and verifies all incoming mail on a huge scale - more than 300 million messages a day."
Striata has implemented both SPF and DomainKeys for many of its clients. "We openly advocate the use of digital signature technology for companies that are customer-centric and focused on using e-mail for e-billing and other services," adds Wright.
He believes banks need to evaluate methods of counteracting "phishing", or "the devious social engineering employed by dishonest individuals", to extract a confidential bank account or credit card code from the legitimate owner of the account or card in order to carry out fraudulent transactions.
"Every bank operating in South Africa should be digitally signing their outgoing e-mails. There are challenges inherent in doing this because recipients' anti-virus programs may add to each mail a notice confirming that it has been checked and in so doing it will alter the contents of the e-mail and 'break' the digital signature.
"Anti-virus software therefore has to be adjusted so that it will not alter the e-mail contents and break the digital signature. Another part of implementing these types of solutions requires that the organisation must communicate with its e-mail recipient base and warn them of the digital signature so that they can understand the use of this technology."
The spam problem also extends to e-mail delivery specialists like Striata, which have to ensure they are "white-listed" with Internet service providers (ISPs) in order to be able to send high levels of e-mail. Wright says Striata is now white-listed with major ISPs like Internet Solutions, MWeb and UUNet and a further 200 major ISPs worldwide.
There are also "grey" and "black" listings. Companies have to ensure their servers are not blacklisted and need to run a daily check to confirm this among the more than 270 blacklists operating around the world. Grey listing is a process that reduces spam by cutting out mail that comes from compromised, virus-infected servers (Trojans, mailbots and zombies).
Wright says a zombie computer is one compromised by a "hacker", a computer virus or a Trojan and it is usually only one of many in a "botnet". Spammers remotely use them and the owners of these computers are completely unaware their systems have been "hijacked" in this fashion.
"Zombies have been widely used to send e-mail spam - as much as 80% of all spam worldwide. Through Zombies, spammers can avoid detection while the owners of the Zombie computers are paying for the spammers' use of their bandwidth. These circumstances constitute compelling reasons for companies using specialist electronic messaging service providers to ensure that their provider has adopted and implemented effective digital signature technology."
Wright says most companies sending their own bulk e-mail don't even realise how much of their e-mail is never making it to their customers: "Not communicating with your clients is a sure way to eventually lose them, making the delivery of your customer e-mails of paramount importance."
Striata is an application software developer and service provider focused on enabling secure electronic communication. Striata specialises in the secure delivery and payment of bills, statements, pay-stubs, invoices and all other confidential documents, via encrypted e-mail. Striata has been a provider of software and services in the electronic messaging arena since 1999 and has offices in New York, London, Sydney and Johannesburg, as well as partners in Ireland, Germany, The Netherlands, Central and South America, and Asia Pacific. Visit www.striata.com.
Share
Editorial contacts